The problems with password security are well known. People gravitate naturally toward creating passwords they can easily remember and will use those same passwords over multiple accounts. This makes them easy to breach.
While you can tell employees to use strong passwords that have a combination of letters, numbers, and characters, in practice, this isn’t feasible. Employees often end up wasting time going through “lost password” processes if forced to create difficult passwords that they can’t remember.
Up to 11 hours per year, per employee, are wasted resetting passwords.
Another issue responsible for user accounts to business apps being breached is a large number of thefts of big repositories of user information. A breach of a company like Facebook or Equifax (as has happened) can cause millions of usernames and passwords to be stolen and then sold and resold on the Dark Web.
The result is that companies must deal with insider attacks by means of credential compromise. This can include things like:
- Planting malware or ransomware
- Sending phishing emails from a company email account
- Stolen or deleted data
- Data breach of customer records
- Security and user settings in an account being changed
One of the best ways we know to protect those passwords is by requiring another form of authentication before someone is granted access to a website or cloud account.
There are two main ways to do this:
- Two-factor authentication (2FA); and
- Multi-factor authentication (MFA)
We’ll go through each below and explain why MFA is the more secure system to implement.
What Are Factors of Identification?
MFA and 2FA both implement additional identification factors beyond one. There are three standard categories of these factors, which are:
- What you know: This can be a username and password combination, a photo that you recognize, or the answer to a challenge question (e.g., what was your first pet’s name?).
- What you have: This is something physical that is in your possession, like your mobile device, computer, or a security key.
- What you are: This factor would include unique identifiers for you personally, such as a fingerprint or retina scan.
Two-factor Authentication uses a total of two factors. The first will generally be your username and password (what you know) and the second, a code that is sent to a device in your possession (what you have).
In the most common 2FA scenario, a user will enter their login into a web form and then click to send a code to their phone for the second factor of authentication. In seconds, this arrives by text message, and they enter the code and get logged in.
This system does help better protect accounts, but hackers are beginning to find ways around SMS methods of authentication. For example, there is a type of malware that can infect a mobile device that will duplicate information from the SIM card and send it to a hacker. They will then be able to access the text messages the device receives, including any 2FA codes.
Multi-factor Authentication, as you may have guessed by the name, offers more than two factors of authentication. MFA provides flexibility to be deployed in a number of ways that not only include using the method we described above, but also passwordless access methods.
An example of using multi-factor authentication would be if a user first enters their login details and then receives a QR code on the screen that they must scan with their device. If the user has administrative credentials, a 3rd factor could be added through the use of a challenge question.
What Are the Benefits of Using Multi-Factor Authentication Over Two-Factor?
Better Account Security
The more flexibility and levels of authentication that you can deploy in your credential management, the better secured your accounts are. Rather than every user in every situation being provided the same requirements for systems access, you can create more secure and contextual authentication policies.
Improved User Productivity
When you use an MFA system with the capability to identify certain unique traits about a user device, such as the TraitWare system that Connect2Geek is partnered with, you can improve the login experience.
For users that are known to be in the same building as your office, you can reduce the number of authentication challenges, while keeping them higher for those outside your immediate network.
Data Security Industry Standards Are Moving Towards MFA over 2FA
PCI DSS, one of the major data security standards, has been updated to replace references of 2FA with the more robust MFA.
More Flexibility for Privileged Account Protection
With multiple factors of authentication in your access management toolbox, you can better protect privileged accounts, which should be given higher access security requirements.
Learn More About MFA & How You Can Deploy This Without Passwords!
How would you like to get rid of passwords altogether, while improving your credential security? Connect2Geek can show your Treasure Valley business affordable solutions to better protect your accounts.
Schedule your free consultation to learn more today! Call 208-468-4323 or reach out online.